Oracle® Application Server Single Sign-On Administrator's Guide 10g (9.0.4) Part Number B10851-01 |
|
OracleAS Single Sign-On enables you to use a single user name and password and, optionally, realm ID, to log in to all features of OracleAS as well as to other Web applications.
OracleAS Single Sign-On provides the following benefits:
The single sign-on server eliminates the need to support multiple accounts and passwords.
Users do not have to maintain a separate user name and password for each application that they access.
When a password is required only once, users are less likely to use simple, easily exposed passwords or to write these passwords down.
This chapter covers the following topics:
OracleAS Single Sign-On interacts with the following components:
The single sign-on server consists of program logic in the OracleAS database, Oracle HTTP Server, and OC4J server that enables you to log in securely to applications such as expense reports, mail, and benefits. These applications take two forms: partner applications and external applications. In both cases, you gain access to several applications by authenticating only once.
OracleAS applications delegate the authentication function to the single sign-on server. For this reason, they are called partner applications. Either an authentication module called mod_osso or the single sign-on SDK enables these applications to accept authenticated user information instead of a user name and password once you have logged in to the single sign-on server.
A partner application is responsible for determining whether a user authenticated by OracleAS Single Sign-On has the requisite application privileges.
Examples of partner applications include OracleAS Portal, OracleAS Discoverer, and the single sign-on server itself.
External applications do not delegate authentication to the single sign-on server. Instead, they display HTML login forms that ask for application user names and passwords. Each external application may require a unique user name and password. Yahoo! Mail is an example of an external application that uses HTML login forms.
You can configure the single sign-on server to provide user names and passwords to external applications on users' behalf once they have logged in to the single sign-on server. Users have the option of storing application credentials in the single sign-on database. The server uses the single sign-on user name to locate and retrieve application names and passwords and log the user in. To save these credentials, the user selects the Remember My Login Information For This Application check box when first logging in.
mod_osso is an Oracle HTTP Server module that provides authentication to OracleAS applications. It is an alternative to the single sign-on SDK, used in earlier releases of OracleAS Single Sign-On to integrate partner applications. Located on the application server, mod_osso simplifies the authentication process by serving as the sole partner application to the single sign-on server. In this way, mod_osso renders authentication transparent to OracleAS applications. The administrator for these applications is spared the burden of integrating them with the SDK.
After authenticating the user, mod_osso transmits the simple header values that applications need to validate her. These include the following:
For details about the attributes that the single sign-on server passes to mod_osso in the URLC token, see Table D-1 in Oracle Application Server Single Sign-On Application Developer's Guide. To learn how to develop applications using mod_osso, see Chapter 2 in the same book.
Oracle Internet Directory is the repository for all single sign-on user accounts and passwords--administrative and nonadministrative. The single sign-on server authenticates the user against his or her entry in the directory. At the same time, it retrieves user attributes from the directory that enable applications to validate the user.
OracleAS Single Sign-On is just one link in an integrated infrastructure that also includes Oracle Internet Directory, Oracle Directory Integration and Provisioning, Oracle Delegated Administration Service, and OracleAS Certificate Authority. Working together, these components, called the Oracle identity management infrastructure, manage the security life cycle of users and other network entities in an efficient, cost-effective way.
To learn more about the benefits of Oracle identity management, see Oracle Identity Management Concepts and Deployment Planning Guide.
This section describes the following processes:
Nonadministrative users first gain access to the single sign-on server by entering the URL of a partner application such as OracleAS Portal or OracleAS Discoverer. Entering such a URL invokes the single sign-on login screen. Once they have entered the correct user name and password, users gain access to other partner applications and to external applications without having to provide credentials again.
Administrative users can access the administration home page for single sign-on by typing a URL of the following form:
http://host
:port
/pls/single_sign-on_DAD
where host is the computer where the single sign-on server is located, port is the port number of the server, and single_sign-on_DAD is the database access descriptor for the single sign-on schema. The default DAD is orasso
.
Figure 1-1 shows what happens when the user requests the URL of a partner application that is protected by mod_osso.
External applications are available through OracleAS Portal, a single sign-on partner application.
This section contains these topics:
To gain access to an external application, you select the External Applications portlet on the OracleAS Portal home page; then, from the list of external applications that appears, you select an application.
Selecting an application in the External Applications portlet initiates the external application login procedure. The following occurs if you are accessing the application for the first time:
If you decline to save your credentials in the password store, you must enter a user name and password each time that you log in.
If you saved your credentials when accessing an external application for the first time, the single sign-on server retrieves your credentials for you during subsequent logins. The process works like this:
Unlike partner applications, external applications do not cede logout control to the single sign-on server. It is the user's responsibility to log out of each of these applications.
You can terminate a single sign-on session and log out of all active partner applications simultaneously by logging out of whatever application you are working in. Clicking Logout in a partner application takes you to the single sign-off page, where logout occurs.
If you signed off successfully, each of the applications listed on the single sign-off page has a check mark next to the application name. A broken image next to an application name denotes an unsuccessful logout.
Once all of the application names activated in a session have a check mark, you can click Return to go to the application from which you initiated logout.
The change password screen appears only when your password has expired, or is about to expire, and you try to log in. If the password is still valid, you can click Cancel on this screen and proceed with the login.
To change or reset a password under other circumstances, the nonadministrative user must go to Oracle Delegated Administration Services, a service of Oracle Internet Directory that performs user and group management functions.
The Oracle Delegated Administration Services home page is found at a URL of the following form:
http://host
:port
/oiddas/
where host is the name of the computer where Oracle Delegated Administration Services is located, and port is the port number of this server. Oracle Delegated Administration Services and OracleAS Single Sign-On generally have the same host name.
The global user inactivity timeout is a feature that enables applications to force you to reauthenticate if you have been idle for a preconfigured amount of time. This timeout is a useful feature for sensitive applications that require a shorter user inactivity timeout than the single sign-out session timeout.
When you exceed the global user inactivity timeout limit and try to access the application, the application sends the single sign-on server an authentication request as usual. The server, ascertaining that you have exceeded the timeout limit, prompts you to log in. If you have not exceeded the limit, the server uses the session cookie to authenticate you.
See Also:
"Configuring the Global User Inactivity Timeout" in Chapter 2, "Basic Administration" |
You can use mobile, or wireless, devices such as personal digital assistants, cellular phones, and voice recognition systems to access OracleAS applications. As in PC-based systems, the authentication mechanism is OracleAS Single Sign-On. You can select the wireless option when installing OracleAS. If you do, Portal-to-Go, the gateway for mobile devices, is registered with the single sign-on server automatically.
To learn more about OracleAS Wireless see Oracle Application Server Wireless Administrator's Guide and Oracle Application Server Wireless Developer's Guide.
|
![]() Copyright © 1996, 2003 Oracle Corporation. All Rights Reserved. |
|